Senior Internal Auditor

Job Description

Metrolinx is connecting communities across the Greater Golden Horseshoe. Metrolinx operates GO Transit and UP Express, as well as the PRESTO fare payment system. We are also building new and improved rapid transit, including GO Expansion, Light Rail Transit routes, and major expansions to Toronto’s subway system, to get people where they need to go, better, faster and easier. Metrolinx is an agency of the Government of Ontario.
At Metrolinx, equity, diversity and inclusion are essential to living our values of serving with passion, thinking forward and playing as a team.

The Internal Audit (IA) team, working in partnership with all Business Units, reviews, assesses and recommends process and control enhancements. Business Units remain responsible for designing and operating necessary controls to protect and enhance Metrolinx assets and reputation.


The Sr. IT Internal Auditor has responsibility for executing work under the Information Technology and PRESTO activities in the Internal Audit annual audit plan. The position is responsible for completing control testing and preparing reports under the supervision of the Manager, IT Audit and Director, IT Audit.


The role will execute compliance audits and provide advisory support on IT general computing controls, privacy and security activities, system security configurations, IT project management activities, financial and payment process controls, service provider compliance audits, and entity level security controls.  The position will support findings with IT and PRESTO leadership and provide feedback on the implementation of IT governance, risk, and control practices.  The role will execute IT audits and integrated audits in accordance with the annual internal audit plan.  This role contributes to the practical recommendations provided to management based on evidence-based testing, experience, and advisory support to management on new initiatives and services from an internal control perspective.


This Sr. IT Auditor role will bring previous and relevant expertise in the design, performance, monitoring and testing of controls using analytics tools including ACL, PowerBI, Azure Data Factory and Databricks.

What will I be doing?
  • Participates in audits and projects that are primarily information system and control focused.  Other work may include financial, operational, internal control, value for money, and compliance audits and related risk assessments under the supervision of the Audit Manager;
  • Performs risk assessments for each assigned audit; develops process maps and documentation to support control gap analysis;
  • Designs and executes the test steps for each assigned audit under the supervision of the Manager;
  • Defines the business requirements to develop and maintain data-based analytics to test controls at the population level;
  • Performs audits in conformance with professional (IIA) and divisional standards and industry best practice, including working with co-sourced audit service providers and utilizing the IIA competency framework;
  • Leverages deep understanding and application of IT control and governance best practices to support their work, including ISACA IT governance, NIST cybersecurity and IIA GTAG frameworks;
  • Identifies and clearly defines audit issues and root causes; recommends improved internal controls and business processes;
  • Assists the Manager to maintain a database of management’s action plans; monitors action plans for timely implementation, and considers the impact of significant subsequent operational changes;
  • Assists the Manager and Director to maintain positive working relationships with MTO’s Internal Audit Team (MTO-IA) and the OAGO; liaises between external audit groups and Metrolinx technology and business units
  • Works in partnership with IT and PRESTO Business Units to review and assess current processes, recommend pragmatic and sustainable solutions/enhancements, and engage fellow employees to actively identify and manage business risks and controls
  • Develops and maintains a positive and productive working relationship with staff and management throughout the organization, with a ‘no surprises’ approach to audit work and findings;
  • Maintains an up-to-date knowledge of the standards and guidance included in the International Professional Practice Framework (IPPF) developed by the IIA; stays current with evolving knowledge in the field of Internal Auditing; maintains compliance with IIA standards and its Code of Ethics;
  • Maintain familiarity with current events and risk developments in the areas of IT Governance and Controls;
What Skills and Qualifications Do I Need?
  • Completion of a degree in Business Administration, Accounting, Engineering, Information Technology, or a related discipline – or a combination of education, training and experience deemed equivalent
  • Minimum six (6) years of experience in a role managing risks, processes and controls within an Information Technology or Data Management perspective.  Preference will given for experience in industries with capital intensive projects, public sector information technology, or with an audit / consulting firm. 
  • Must become a member of the Institute of Internal Auditors and Information Systems and Control Association and have current designations related to IT Audit and Security:
  • Examples of required designations:
    • ISACA designations: Certified Information Systems Auditor (CISA), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC)
    • Auditing/Accounting: Certified General Accountant (CGA), Chartered Professional Accountant - Certified Professional / Management Accountant (CPA, CMA), Chartered Professional Accountant / Chartered Accountant (CPA, CA), with preference given to CPA, CA due to the professional auditing skills obtained during the course of obtaining a CPA, CA designation
  • Continuing Education and desire to develop designations and certifications in auditing, project management, technology is preferred;
  • Other Relevant designations are expected with priority given to auditing designations:
    • Technology: Control Objectives for IT (CobiT); Information Technology Infrastructure Library (ITIL)
    • Fraud: Certified Fraud Examiner (CFE) or Certified Forensic Investigator (CFI)
    • IIA designations: Certified Internal Auditor (CIA), Certified Government Auditing Professional (CGAP), Certification in Control Self-Assessment (CCSA), Certification in Risk Management Assurance (CRMA), and Certified Financial Services Auditor (CFSA)
Don’t Meet Every Requirement? 
If you’re excited about working with Metrolinx but your past experience doesn’t quite align with every qualification of this posting, we encourage you to apply. You just might be the right candidate for this or other roles. We are always looking for great talent to join our team.
We invite all interested individuals to apply and encourage applications from members of equity-deserving communities, including those who identify as Indigenous, Black, racialized, women, people with disabilities, and people with diverse gender identities, expressions and sexual orientations.
We value the unique skills and experiences each person brings to Metrolinx and are committed to creating and maintaining an inclusive and accessible environment. We are committed to the requirements of the Accessibility for Ontarians with Disabilities Act so if you require accommodation during the hiring process, please let our Recruitment team know by contacting us at: 416-202-5601 or email
Application Process:

All applicants must be legally entitled to work in Canada. Metrolinx will be using email to communicate with you for all job competitions. It is your responsibility to include an updated email address that is checked daily and accepts emails from unknown users. As we send time-sensitive correspondence, we recommend that you check your email regularly. If no response is received, we will assume you are no longer interested in pursuing the opportunity. Please be advised that a Criminal Record Check may be required of the successful candidate. Should it be determined that any background information provided is misleading, inaccurate or incorrect, Metrolinx reserves the right to discontinue with the consideration of your application.
Metrolinx employees are required to be fully vaccinated against COVID-19 in accordance with Metrolinx’s Mandatory COVID-19 Vaccination Standard, made under the Metrolinx Communicable Diseases in the Workplace Policy, as a condition of being eligible for the recruitment process.  Proof of COVID-19 vaccination will be required.  If you are not able to obtain COVID-19 vaccination for a reason related to a protected ground of discrimination under applicable human rights legislation, you can request accommodation from Metrolinx.
We thank all applicants for their interest, however, only those selected for further consideration will be contacted.